?
Solved

SBS 2003 and Server 2008 shared folder privileges?

Posted on 2010-11-24
7
Medium Priority
?
630 Views
Last Modified: 2012-05-10
Hi All,

We currently have 3 different sites which are interlinked via a VPN.  The main site is running on SBS 2003, and the other 2 are running on server 2008.  All users have access to 3 shared folders through the network, but these are all top level folders.  Meaning that all users can view everything on each shared folder.  Some folders such as the admin folder is set up for a few users and denies access to the rest.

My question is, what is the best practice to set these folders up to make sure that certain users only can view what they require?  Should I set up a separate shared folder for each are? I.e, accounts, sales, quotations etc?  Create user groups and just add the higher privileged users there?  Is it bad the way these folders are currently set up?

Any help would be appreciated.
0
Comment
Question by:choy77
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 9

Expert Comment

by:dmessman
ID: 34206244
there are many ways to do this and it's based on your persona preference.  But the extent to which you create different shares should be based on how large you expect the restricted resource to be.

You definitely should create multiple security groups - accounting, admin, sales, etc.  Add members to groups as appropriate.  

For accounting, make a whole new share.  But then if there's one folder within accounting that's super private, you wouldn't make a whole new share.  Just restrict permissions to a group based on that.  For example, if there was a folder that contained salary information that regular accountants and only the CFO and CEO should see, don't make a whole new share - just create a new security group that only contains the CFO and CEO and protect that folder.  

I generally follow that theory - large folder hierarchies get their own share and drive letter.  Tiny folder hierarchies just get restricted by security group.  Medium folder hierarchies - your call.
0
 

Author Comment

by:choy77
ID: 34206718
Ok, that makes sense, thanks for the information.  So, say I create a new security group for users I only want to be able to access the accounts folder, how do I go about denying access to the folder for every other user?  Or even hiding the folder so people cannot view it?  Are you aware of a lot of companies that operate this way with having shared folder like this?  Or is this living dangerously?

Thanks.
0
 

Author Comment

by:choy77
ID: 34206757
On another note, is there a prefix in which new security groups should be given? Or a way in which they should be named?

Thanks
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:choy77
ID: 34206869
And how can I stop users from deleting folders which they have note created, and put certain users in a group who will be able to delete folders/files etc?
0
 

Expert Comment

by:sivra
ID: 34207503
You can go to that top level folder properties, security.  Click the advanced button, edit button, select a user or group, click edit.  Now there is a drop down that probably says "This folder, subfolders, and files".  You can change the Everyone permission here to this folder only.  This allows users and groups to view the subfolders, but you can individually assign permissions to those folders now without an inherited permission from the root folder.  

Remember that the deny permission always overides allow permissions.
0
 
LVL 9

Accepted Solution

by:
dmessman earned 2000 total points
ID: 34229936
To stop users from accessing or deleting folders they don't have access to, don't give them access.  You shouldn't really need to set deny permissions.

Let's say you have an accounting folder with subfolders of A, B, and C.  You want all accountants to access A and B, but only a group of accountants called CFO to access C.  

Create a share called accounting.  

For the accounting share, give the accountants group full control to the accounting share and all subfolders (as described above by sivra).

Now, go to folder C.  Edit the security group permissions and remove accountants group.  Add the CFO group.  Apply to that folder and all subfolders.  Now, acocuntants won't be able to access that folder.  There is no deny permission - but no allow permission, so only members of the CFO group will be able to access it.

0
 

Author Closing Comment

by:choy77
ID: 34360731
Thanks for your help
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question